CVE-2025-26696Authentication Bypass by Spoofing in Mozilla Thunderbird

CWE-290Authentication Bypass by SpoofingCWE-451User Interface (UI) Misrepresentation of Critical Information9 documents8 sources
Severity
7.0HIGHNVD
EPSS
0.2%
top 60.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedMar 10
Latest updateJul 22

Description

Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:LExploitability: 2.2 | Impact: 4.7

Affected Packages2 packages

NVDmozilla/thunderbird129.0136.0+1
Debianmozilla/thunderbird< 1:128.8.0esr-1~deb11u1+3

🔴Vulnerability Details

3
OSV
CVE-2025-26696: Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wron2025-03-10
GHSA
GHSA-w56w-w5xr-q52m: Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wron2025-03-10
CVEList
Crafted email message incorrectly shown as being encrypted2025-03-10

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
thunderbird: Crafted email message incorrectly shown as being encrypted2025-03-10
Debian
CVE-2025-26696: thunderbird - Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP...2025
Mozilla
Mozilla Foundation Security Advisory 2025-18: CVE-2025-26696
Mozilla
Mozilla Foundation Security Advisory 2025-17: CVE-2025-26696
CVE-2025-26696 — Authentication Bypass by Spoofing | cvebase